Cybercrime costs global businesses $450 Billion per year, according to a recent study by Hiscox Insurance based on data from 2016. However, many companies are still yet to realize the gravity of this threat.
In this cybersecurity insurance guide, I'll discuss what it is, why you need it, and other useful tips, you can use to protect yourself and your company.
What is Cybersecurity?
Cybersecurity is protection against the criminal or unauthorized use of data, and the measures taken to achieve this.
Furthermore, cybersecurity encompasses techniques against the security of the whole computer network; it's software and data from the aforementioned damage and unauthorized access.
The Cost of Cybercrime
As mentioned, cybercrime costs global businesses $450 Billion per year. This figure is so significant it can feel beyond most people’s comprehension. To make the scale of the problem more relatable, it’s perhaps easier to consider the impact of just one of many recent high-profile cyber attacks – the one that hit credit reference agency Equifax in the USA.
This security breach resulted in 143 Million Americans having their personal details exposed to hackers. Personal information that included their dates of birth, home addresses, and Social Security numbers. Over 200,000 consumers affected by the breach also had their credit card numbers exposed.
The number of US citizens affected by this breach alone came very close to half of the population of America. Furthermore, it wasn’t the first such large-scale cyber attack and is extremely unlikely to be the last.
It sometimes feels like people are becoming desensitized to such IT security events. Press coverage after the Equifax attack suggested that despite concern about the impact of the cyberattack, fewer than one in five people actually did anything to shore up the security of their personal information. However, we can be sure that as soon as individuals affected find themselves a victim of identity theft or financial loss as a result, they will immediately look to seek some recourse.
This is why, in a world where cybercrime is booming (let’s, once again, remember that $450 Billion figure), cybersecurity insurance is also growing in popularity amongst companies of all sizes. Quite rightly, they are looking to protect themselves from financial loss and legal problems if and when they become the next Equifax.
The Growth of Cybersecurity Insurance
Cybersecurity insurance is an insurance product that’s been historically slow to get off the starting blocks, primarily due to the difficulty of eliminating the related risks, and the ever-evolving nature of threats to company IT systems. The Wikipedia entry for cyber insurance refers to the market for such insurance growing far more slowly than was anticipated a decade or so ago.
Despite this, reports show that over 130 insurance companies added cyber insurance to their product ranges last year. It’s increasingly a type of coverage that businesses of all sizes need to consider, to protect them if and when, despite their best efforts, they are the next victim of the world’s growing army of hackers and cybercriminals.
You may be wondering, at this point, whether Equifax had cybersecurity insurance. Shortly after the breach, a company representative stated that "Equifax carries cybersecurity, crime, general-liability and other lines of insurance.” However, press reports speculate that the company’s coverage, protecting them for damages up to $100-150 Million, will prove woefully inadequate to protect them from the full financial impact of their IT security breach. The class-action lawsuits will probably continue to roll in for years to come.
Do I need Cybersecurity Insurance?
The "TL;DR” answer to whether you need Cybersecurity insurance is probably a resounding "yes,” if you run any kind of connected business and wish to sleep more soundly at night.
UK insurer, Hiscox, provides a list of reasons why a company may want Cybersecurity insurance, and they include being "reliant on computer systems to conduct your business” and "having a website.” In this day and age, that doesn’t leave room for many exceptions!
While it’s the large-scale cybercrime events such as the Equifax hack that hit the headlines, and similar occurrences at the likes of Yahoo! and the UK’s National Health Service, it’s definitely not only large organizations that face attacks from hackers and have to deal with the aftermath. This is an aftermath that can often include financial impact, reputational damage, and a clean-up operation that’s hugely disruptive to daily business.
Consider this: 60% of all small businesses get hacked each year. Not only that, these small businesses don’t tend to have the resources that their larger counterparts have to help them recover from a cybercrime incident. These resources can include anything from a well-staffed IT team to mop up the damage, to the necessary financial buffer to get through the crisis. So, one could argue that smaller businesses need Cybersecurity insurance as much, if not more, than larger firms.
While they may not hit the front pages of national newspapers, there are no shortage of online examples of where small businesses have been successfully targeted by cybercriminals. These include incidents where SMEs have found their bank accounts drained of sums ranging from around $20,000 to over $1 Million. Depending on the size of the business, either of the sums could be enough to bankrupt the company.
An often-mentioned cybercrime statistic is that 60% of small companies who are victims of a cyber attack never recover from it and are out of business within six months. Although degrees of attack severity naturally vary, it’s fair to say that companies of all sizes should take cyber threats seriously, and take out insurance to protect themselves.
Does my Company Qualify?
A quick Google search for cyber insurance throws up plenty of options, including many aimed at small businesses. In many cases, these policies are inexpensive, not even hitting a three-figure sum for each monthly premium payment. One has to wonder exactly what level of coverage this is genuinely going to obtain, so reading the small print is obviously fundamental.
As with many kinds of insurance, it makes sense to talk to a broker who truly understands your business. While the kind of "one size fits all” policies with low premiums that appear on a typical Google search might allow you to tick a box that says you have Cybersecurity insurance, having the full confidence that it will actually protect your business is another matter entirely.
If you give this some thought, it quickly becomes clear why it’s essential to opt for an adequately underwritten policy if you decide to take out cyber insurance. If you find an online provider who’s happy to offer the same generic cyber insurance policy to companies with vastly different business models, the chances are you’re not looking at a great policy. A company with one computer that doesn’t store much in the way of personal details is clearly at far less risk than one that sells online and processes and stores credit card details. The impact of an attack would be vastly different too.
So, it’s perhaps less a question of whether your company qualifies for cyber insurance, and more one of finding some insurance that’s actually worth the paper it’s written on. You won’t have any trouble finding a company to sell you cyber insurance, but you could have more difficulty finding one that will reliably pay out in the event of a claim. Of course, this goes for all types of insurance
Ensuring your policy is valid
As with all insurance policies, you’ll usually be expected to comply with a range of terms and conditions to ensure that your insurance remains valid.
An appropriate (if slightly unusual) analogy here regards insurance for bicycles. Policies protecting against the theft of bicycles are easy to obtain, but their small print often reveals a host of obligations the policyholder must meet in order to be protected. This usually includes using an industry-standard cycle lock, and ensuring the bike is attached to an immovable object, even when it’s stored at home.
It’s often the case with insurance that meeting the obligations of a policy proves as costly and time-consuming as purchasing the policy itself, and it’s no different with Cybersecurity insurance. A recent study on the cybersecurity insurance market in Sweden showed that many insurers "impose information and IT security requirements on their customers.”
It’s therefore pointless to purchase the insurance and not read the small print – which is true for any kind of insurance. If you don’t meet your obligations, the insurance can end up invalid.
When is Cybersecurity Insurance Worthwhile?
As with all business insurance, a sensible general rule to follow is that if cybersecurity insurance is affordable and protects against significant financial risk, then it is worthwhile to have.
However, it’s reasonable to mention that some companies probably need it more than others. If you store and process customers’ financial details, it’s arguably very foolish not to insure against cyber risks. Companies with only a small online presence and no financial exposure may wish to take a more relaxed approach. However, even the smallest of company bank accounts could become the target of a hacker. Furthermore, premiums for companies with less perceived risk should, at least in theory, be considerably smaller.
There’s also a potential political aspect to consider. If your business moves in the kind of circles that hackers and cybercriminals dislike – such as anything considered too close to "the establishment,” or anything that could be pertained to curtail liberty, hackers could make a specific beeline for you – so this is something to always keep in mind.
An interesting recent statistic to raise at this point is that only 10% of UK SMEs have arranged cyber insurance at the time of writing. However, growth predictions for this industry suggest the tide is turning and that more people are becoming aware of the need for it.
The cover included with a typical cyber insurance policy can often sound very impressive. It usually includes things like:
- Payment of ransom money in the event of a ransomware attack.
- Coverage for business interruption.
- Coverage for legal costs surrounding any breach.
- Loss of income protection while your business repairs the damage.
- Coverage for fines imposed by regulators for data breaches.
- Forensic analysis costs.
- Credit monitoring costs. (Equifax funded free credit monitoring for all affected customers following their 2017 breach).
Impressive though this all sounds, the nature of cyber insurance means that this doesn’t all just come into effect automatically as soon as any kind of breach occurs. Usually, in the event of a claim situation, your insurance company will work with you to assess the damage and help to "manage the crisis.”
Typically, policies also have excess payments in place. So, for example, it could potentially prove more cost effective to pay a $350 ransomware demand than the $2000 policy excess for a claim. So, it’s well worth keeping in mind the fact that cyber insurance is really there to protect you if something goes horribly wrong, despite you taking the right precautions and doing everything right. It’s not there to rescue you from every tiny little IT-security-related incident. However, this doesn’t mean it’s not something that’s worthwhile to have in place.
If you run a business, you will need to do your own cost vs. benefit analysis on this, and read all the small print of any policy you’re tempted by.
Checking your existing insurance
Before committing to a regular expense for another insurance policy, it’s well worth looking at what insurances you already have in place.
Many small businesses purchase "all in one” business insurance packages, often covering various liabilities and indemnities. Sometimes these can include IT-related insurances, such as insurance to help recover from virus attacks.
It’s unlikely that such a "packaged” insurance policy would include full cyber insurance, but it’s still worth checking what you are already covered for. You may decide that you already have adequate coverage for your personal situation and attitude to risk. Or, you may be able to reduce the cost of a cybersecurity insurance product if you’re already covered for some of the potential situations.
Checking out insurance deals does take time, and sometimes it can prove hard to find a broker who’s not purely after their commission. However, time spent doing the right research and ensuring your policy is correctly underwritten is better and less stressful than time spent chasing after a claim that may not be paid in the event of a disaster.
Other ways to make your company "cyber secure”
Of course, it’s never a case of just buying suitable cybersecurity insurance and then sitting back and relaxing. It’s also essential to minimise the risks of falling victim to cyberattacks and information security breaches in the first place.
There are a series of technical steps that all sensible companies should take to protect their systems. As previously mentioned, some of these may be mandatory in order for your cyber insurance policy to maintain its validity. We’ll move onto those precautions shortly. But first, let’s talk about the number one thing companies should focus on to reduce their chance of being the victim of a cyber attack:
User Education
The biggest point of failure when it comes to cybersecurity is not out of date antivirus software, a poorly configured firewall, or an inefficient IT department. Errors made by employees using the computer systems are the number one reason companies fall victim to hackers.
One recent report states that in excess of 90% "of all cyber attacks are successfully executed with information stolen from employees who unwittingly give away (…) credentials to hackers.”
This is a staggering number and one that makes you look twice to confirm it’s correct. Sadly, it is. What it clearly doesn’t mean is that employees go around willingly handing out their usernames and passwords. Instead, hackers use social engineering techniques and phishing attacks to trick people into unknowingly handing out these details to them.
Phishing techniques can range from the crude to the ingenious. Sometimes, it merely takes a convincing email appearing to come from the IT department to convince a member of staff to hand over their login credentials. One single username and password is often all a hacker needs to gain remote access to a network, and from there they can exploit other vulnerabilities and use other hacking techniques to burrow further and further in – a technique often referred to as "spear phishing.”
Phishing is sometimes far more sophisticated, involving concerning emails that convince people their banking or PayPal accounts have been compromised. These emails then lead to plausible-looking login pages that look like the genuine article. All the user then has to do is try to log on to them and they’ve immediately handed over their email address and password.
Anyone who needs convincing how ubiquitous such phishing emails are only need look in the junk email folder of a well-established email account. Such messages are sent out with alarming regularity.
Phishing continues to be a "weapon of choice” for hackers for the simple fact that it works. Whether in the form of a phone call, email or convincing website login page, all hackers need to do is continually refine their methods and make them credible enough to fool people.
The whole point of this explanation is to emphasize the essential role of user education in keeping IT systems safe. Depressingly, however, the evidence seems to suggest that many people wilfully ignore such advice. As recently as January 2017, it was revealed that over 50% of people use easy-to-guess passwords such as "123456” – and it, therefore, seems likely that plenty of people also close their ears to advice around using unique passwords for different accounts.
All of this makes life far easier than it needs to be for hackers.
The answer to user education around cybersecurity is to make it something that’s not optional. Instead of merely insisting on complex passwords, enforce the use of them too, by configuring systems to require them. If need be, use a disciplinary procedure when employees refuse to take their role in this seriously.
It’s also essential to train staff in the ways hackers are going to try to outwit them. Show them examples of fake PayPal login pages and phishing emails (they’re not hard to find.) Tell them the statistics around this. Most importantly, ensure that everyone is aware that it’s not possible for the IT department to make company systems "bulletproof” just by installing the correct software.
Far too many non-technical users believe it’s down to the antivirus software and firewalls to protect them from the realities of cybersecurity. To some extent this is true, but these products cannot protect people from themselves. It’s absolutely essential that anyone using your company systems understands this – hence the length of this section.
Technical Measures
When it comes to protecting your IT services from a technical perspective, many of the steps are obvious but still worth emphasizing. Antivirus software is, of course, a must. And with malware incidences on Apple’s Mac platform up 230% in 2017, it’s now becoming hard to argue that Macs don’t need antivirus just as much as Microsoft Windows platforms.
Antivirus software isn’t all equal, so it’s well worth researching it in detail to choose the correct product. It’s also not something to "set and forget.” For effective protection, antivirus software should always be kept fully up-to-date, with full system scans configured to run on a regular basis. Depending on your company culture, this could be the responsibility of individual users or your IT department. It doesn’t matter who, so long as someone’s doing it.
Good antivirus and Internet Security products often include some level of protection against phishing emails and dishonest websites. While these are obviously useful features, they should be treated as a complement to user education and not an alternative to it.
Firewalls come in various forms; Some are hardware devices that protect office networks or data centers, others are software or cloud-based products that can protect individual machines or web applications. There’s no hard and fast rule that dictates what kind of firewall protection you need, but one or more such products would usually form a piece of your company’s internet security jigsaw.
Two Factor Authentication is described here and is a great way of adding a level of security to anything that requires a login and password. By adding a second login requirement, such as a unique code sent by SMS to a user’s phone, 2FA makes life much harder for opportunistic hackers. There are ways to add such authentication to anything from Windows domain networks to individual websites. Implementing two-factor authentication is often a relatively low-cost way of adding a substantial extra level of security to critical systems.
VPNs (Virtual Private Networks) are a great way to boost online privacy and can protect company data when workers are away from your central office. For example, insisting that staff use VPNs for public WiFi networks is a great step to take to prevent them from inadvertently leaking important company login details. Our VPN for Beginners guide is a useful and detailed guide for further reading.
Data Encryption is something companies often think little about that can immediately improve the security of company data. If a member of staff leaves an unencrypted laptop on public transport, it’s child’s play to access the data within, even if there’s a password in place. All anyone needs to do is remove the hard drive and connect it to another machine.
Full disk encryption is easy to implement (and particularly easy on an Apple Mac, with just one tickbox), and therefore well worth considering to plug this security hole.
Software Updates are another essential detail that frequently gets ignored, with people often far too content to hit the "remind me later” button for weeks on end. However, in many cases, these updates are issued as a specific response to security flaws in operating systems or software products.
One high-profile example of the importance of software updates was when it was revealed that much of the impact of the headline-grabbing cyber attack on the UK National Health Service could have been avoided if IT staff had installed a patch that had been made available weeks before. More recently, Apple themselves did some serious reputational damage with a bug that made it incredibly easy to hack any Mac with the most up-to-date operating system. The patch for that is not something any user would want to delay installing.
SSL for your company website is increasingly becoming a must too, especially with Google now marking out non-SSL sites as "insecure.” HTTPS is explained here. Upgrading an insecure website to HTTPs is inexpensive (or even free). There are some precautions to take, but it’s something everyone should do.
Have another scan through the list above and see how many of these things you feel your business is truly "on top of.” If there are shortcomings, every one that you work through will make your systems more secure. It’s also worth emphasizing that ticking some or all of these boxes may well be a prerequisite for ensuring any cyber insurance coverage is valid. You’ll need to check your own insurance documentation to find out.
Online Dangers
We’ve already touched on some of the cyber dangers facing businesses of all sizes. These are the dangers that Cybersecurity insurance aims to protect against. In this section, we look at some of the most significant dangers in a little more detail.
Phishing
As discussed above, phishing is a huge risk to businesses. Furthermore, an initial phishing "incident” where a hacker manages to get hold or a username and password, or some other information that facilitates a "way in” to company systems, can mark the start of an attack that could involve other cybercrime techniques too. For example, a hacker could use phishing to source a password, and then launch a ransomware attack once system access was gained.
The extent to which phishing is covered under a cyber insurance policy can vary, to say the least. A rather scary online account of a related claim can be found here. In that example, the insurance company refused to pay out because "the policy did not cover CEO fraud or business email compromise.”
This brings us back to the user education section above. If a staff member is tricked into handing a hacker a direct way into company systems, claims on a cyber insurance policy could prove problematic. The only advice we can really provide here is to ask what would happen in such a scenario (and get it in writing) before taking out a policy – and not when the worst happens.
Ransomware
Everyone’s heard of ransomware these days. It was ransomware at the center of a huge global hack that disrupted numerous blue chip companies in early 2017, as well as the UK’s National Health Service.
People switched on their computers to find they had no access to their applications and files; Instead, they were faced with a screen demanding they hand over a "ransom” to access their now-encrypted data files. The specific ransom on this occasion ranged from $300-600-worth of the cryptocurrency, Bitcoin. Eventually, the hackers reportedly managed to cash out in excess of $130,000 in Bitcoin as a result.
Ransomware attacks have one specific quirk: They needn’t cause any damage beyond disruption so long as you have a backup. Systems can be reinstalled, and as long as there’s a backup of the data, there’s no need to pay any ransom.
Ransomware issues can also hit businesses of all sizes – often because thanks to a phishing attack, an unsuspecting member of staff is tricked into installing something they shouldn’t. Ransomware can, therefore, be as much of a problem to a large business, where it can fly around a local area network cross-infecting multiple machines, as it can to a freelancer without a backup who loses access to all their customer documents.
Cyber insurance policies usually include provisions for ransomware, which can extend to paying out a ransom to the hackers. However, the most effective protection against ransomware comes in the form of a rock-solid backup regime. If you’re able to restore your data, the hackers can do no more than inconvenience you.
Ransomware is not going anywhere. Numerous studies show the rate of ransomware infection continuing a stratospheric rise, including one that states that a company somewhere is newly infected with ransomware every 40 seconds.
Data Breaches
While sometimes cyber attacks can "merely” lock you out of your data or compromise your digital security, things get really serious when they result in a breach of customer data. If you have to admit to your customers that you’ve failed in your duty to protect their personal information, reputational damage is all but guaranteed. Furthermore, there are potential legal ramifications, along with the strong possibility that this breach of trust will lose you some business.
Many of the high-profile cyberattacks that hit the headlines involve a loss of customer data. The Equifax breach we refer to above is the most recent at the time of writing, but there have been plenty more incidents in recent years.
In 2013, Yahoo! was hit with a data breach. Full details took years to emerge, but it eventually became clear that the scale of the breach was enormous, with three Billion user accounts affected. Other enormous data breaches include a hack in 2011 on Sony’s PlayStation Network, which for some customers included the release of their credit card details. Then, in 2016, there was a breach of customer information for 57 Million Uber users. Uber did much to compound their reputational damage by covering up the hack for a prolonged period.
Cyber insurance policies usually include coverage for exactly this kind of event, including help with "crisis containment,” which can include assistance with PR and customer relationship management. When a system is breached and customer details are revealed to hackers, there are far-reaching implications, including the prospect of legal issues with government regulators. With this type of incident, cyber insurance can prove as valuable for the expert support an insurance company can call on as it is for the financial safety net.
And that safety net is important too; As discussed earlier, the aftermath of the Equifax hack is only just beginning, and there are already class-action lawsuits lined up. Depending on the damage done, the financial impact can be enormous in these situations.
Business Interruption
Business interruption often goes hand in hand with one or more of the other possible impacts of a cyber attack. For example, a company that’s spending its time pacifying customers who’ve had their personal details stolen, or running around restoring backups after a ransomware attack, is unlikely to have the time and resources to concentrate on the day-to-day running of the business properly and making money.
For small businesses with limited staff resources, it’s this interruption that can push a company into ruin. Customers can disappear overnight if you’re unable to serve them. As such, a sudden and unexpected end to the flow of the "money tap” can prove disastrous.
A broker for business insurance cover in Australia has published a host of online examples of where insurance companies have paid out for business interruption and loss of revenue – often involving six and seven-figure sums. Business interruption can prove to be one of the most significant impacts of a cyber attack. It’s therefore unsurprising that most cyber insurance policies include provisions for it. If you’re unable to earn revenue, the right policy can replace that lost income while the crisis is resolved.
The Main Types of Cybersecurity Insurance
Just as car insurance policies often have different provisions for everything from third party liability to legal protection, via smaller details such as key loss protection and breakdown cover, cyber insurance policies have plenty of component parts.
In some cases, various protections are available as separate insurance products, or as add-ons to one central product. If you’re responsible for sourcing cyber insurance for a larger business, you may find you need several policies to cover all of the risks. Smaller businesses may find that an "all in one” cybersecurity insurance policy covers all the required bases. As is always the case, reading all of the small print is paramount.
To help you understand some of the typical parts of a cyber insurance policy, here are some of the sections you’ll typically see within these products. As mentioned, sometimes you may need more than one policy to cover all the risks you need to mitigate against.
Litigation and Regulatory Cover
This kind of cover is all about the legal ramifications of recovering from a cyber attack. It could include the cost of defending one or more court cases or the payment of a fine to a government regulator in the event of a data breach.
"Regulatory response” cover could be part of this, or perhaps offered separately. This covers additional costs in reference to your firm’s regulatory responsibilities. For example, you may need to undertake a forensic investigation to uncover the details of how a cyberattack took place. "Privacy protection” also links into this, if it becomes necessary to compensate customers for the loss of their data.
Crisis Management / Containment
As referred to in the "data breaches” section above, crisis containment usually involves the insurance company playing an active role in recovering from the aftermath of a cyber attack. It can include managing your firm’s interactions with disgruntled customers or the press and establishing a communication strategy.
This type of cover can provide benefits beyond the financial because smaller firms are unlikely to have an in-house communications team with experience of dealing with such events.
Breach Costs / Damage Cover
Repairing the damage done by hackers can often cost a significant amount of money. Systems may need to be repaired or replaced, resulting in unexpected expenses that you’ll want to insure against.
The cost of recovering a from a breach could also include making certain services available to affected customers. Returning, once again, to the large-scale Equifax breach, the company had to make credit monitoring services available to customers affected. This is fairly standard in situations where personal (especially financial) details have been compromised.
Extortion Cover
Nobody likes to think that sometimes hackers get away with their crimes to the point that they actually get paid their desired ransoms! However, reports suggest that even the FBI sometimes recommends the payment of a ransom in certain hacking scenarios.
Extortion cover is there to fund the payment of such a ransom if the situation dictates it’s the best course of action.
Multimedia Liability
While multimedia liability cover isn’t really much to do with hacking scenarios, it’s often included in, or offered as a "bolt-on” to cyber insurance policies.
This kind of cover protects your business in situations where someone accidentally breaches copyright, for example by using a copyrighted image online by mistake.
How To Get Cyber-Insured?
Finding the right Cybersecurity insurance product can be an involved process. It’s also not one to take lightly, as having insurance that doesn’t end up paying out is no better than having no insurance at all.
Before looking at some options, it’s important to emphasize that insurance policies and related laws can vary significantly from country to country. In researching this article, we looked mostly at the US and USA insurance markets, which have plenty of similarities, but lots of countries have their individual quirks.
While a Google search for "cyber insurance” will yield plenty of instant results and the tempting proposition of "instant cover,” it’s rarely wise to just "find and buy.” As with all insurance, it’s essential to ensure the insurance company fully understands your business and quotes accordingly. Ideally, you should aim for a policy that’s fully underwritten by an insurer that understands your company, what it does, and what your likely cyber risks are. For those who don’t relish the prospect of spending time on the phone answering questions, this is perhaps bad news, but also an unavoidable reality.
One particular detail to ensure is clear is that of which countries you perform work within. For example, a policy from a UK insurer may only cover work done in the UK, or perhaps Europe. If you also do more global business, you must be certain the insurer is aware. Sadly, this detail often pushes the price up!
A trusted insurance broker can prove helpful here, so long as the emphasis is on "trusted!” Some brokers are little more than salespeople who nudge their clients towards the policies that earn them the most commission. Furthermore, cyber insurance is a relatively new product on the market, so not all "one size fits all” insurance brokers will have a strong knowledge of it.
If you’re sourcing cyber insurance for a large company, the chances are you’ll want to involve your legal team and do extensive due diligence before signing up. Smaller companies and "one-man bands” will need to make do with the best possible combination of broker support, detailed reading of policy terms and conditions, product comparisons, and asking lots of pertinent questions. Needless to say, if you seek clarification of any fine details, push to obtain the answers in writing.
As a starting point to learn what to look for, here are details of typical small business cyber insurance policies from Hiscox in the UK, and Hiscox in the USA. Please note that these are not recommendations, but have simply been included here as they are quite clear examples of what to expect.
Representatives of larger companies will need to speak to insurance companies directly or work through a broker. As mentioned, a trusted broker is an asset to a small business also, so long as they’re not simply hawking products on behalf of a single insurance company.
There’s also nothing to say that the cyber insurance products that appear on a Google search aren’t worth the paper they’re written on. So long as you read the small print and select a known and trusted company, they may well fit the bill. However, beware of just grabbing a policy for the sake of having one. Insurance companies have no issue taking premium payments from new customers – the questions will arise at claim time, however. It makes far more sense to answer as many questions as possible before signing up for a policy.
Cybersecurity Insurance Conclusion
Sometimes, in life, it’s wise to be a little paranoid. When it comes to cybersecurity in business, it’s common sense to be that way. This is especially true in a world where we’re constantly being shown statistics that prove things like phishing and ransomware are becoming more of a problem and not less of one.
At ProPrivacy.com, we have a wealth of resources available to help you learn more about cybersecurity and protect your online privacy, ranging from using a password strength checker to detailed articles on the kind of privacy threats you need to look out for. We actively encourage everyone to stay on top of the latest developments in the world of cybersecurity, because we can be sure that within a year from now, plenty more Equifax and Yahoo-style incidents will have hit the headlines.
If you run a small business and get hit by a cyberattack, it probably won’t reach the national news, but that doesn’t mean it won’t destroy your company, or at least cost you dearly in terms of finance and reputation. Cyber insurance doesn’t protect you from every opportunistic hacker, but it does buy you some peace of mind, and some support and financial backup should the worst happen.
A recent CNBC report revealed that 87 percent of SME owners "don’t feel that they’re at risk of a cybersecurity attack.” The same report shows that 14 Million US business has been hacked in the past 12 months. That’s about half the small businesses in the country, and the same number or more can expect their turn in the year ahead. Whichever way you look at it, that’s an awful lot of company owners in for a rude awakening in 2018 and beyond.
With that in mind, we’ll leave you to decide if cyber insurance is worth investing in.